Skip to main content
Cisco Meraki Documentation

Cisco Secure Connect - Cloud Firewall Policy

  1. Last updated
  2. Save as PDF
  1. Overview
  2. Prerequisites
  3. Cloud Firewall in the Secure Connect Dashboard    
    1. Types of Firewall Rules:
    2. Creating Internet Traffic Rule:
      1. Identity Criteria
      2. Firewall Rule Settings
    3. Creating a Private Application and Network rule:
      1. Identity Criteria
      2. Managing Rules
  4. Configure IPS settings for Firewall Policy
    1. Configure IPS Settings:
  5. Additional resources:

Overview

Secure Connect’s Cloud Firewall provides firewall services without the need to deploy, maintain and upgrade physical or virtual appliances at a site. The cloud firewall supports visibility and control of internet traffic, branch to branch traffic and Remote users to internet or branch traffic. Secure Connect logs all network activity and blocks unwanted traffic using IP, port, protocol or Applications (public and private) rule criteria.
 

The firewall policies describe the active configuration of the Cloud Firewall and Intrusion Prevention System (IPS). An admin can create a firewall policy with any number of rules to control access to private applications and networks, and internet applications and sites. Within a policy, users can enable IPS to detect or block potential threats, such as malware, viruses, or unauthorized access attempts, in real-time. Firewall policy rules are evaluated from top to bottom, allowing users to arrange them in order they should be evaluated.

 

Users can configure various communication protocols in a firewall policy rule. The Cloud Firewall filters and controls traffic sent over TCP, UDP and ICMP. The Cloud Firewall does not support the Session Initiation Protocol (SIP).

 

 

Prerequisites

To enforce firewall rules from Branch to Internet traffic or Branch to Branch traffic

  1. Connect a Meraki site to Secure Connect OR Connect Non-Meraki site to Secure Connect [Click here for more information]
  2. Create Private Applications [Click here for more information]

To enforce firewall rules from Remote users to Internet or Branch traffic

  1. Connect the branch as described in the above step and configure relevant applications
  2. Configure Remote Access set up in Secure Connect [Click here for more information]
  3. As a part of Remote Access set up, configure IdP in Secure Connect [Click here for more information] 

Cloud Firewall in the Secure Connect Dashboard    

Navigate to the Secure Connect > Cloud Firewall page within the Meraki dashboard. For the very first time, this page will show two default rules that cloud Firewall enforces. 

  1. Default rule for Internet traffic - This rule will allow all internet bound traffic
  2. Default rule for Private Application and Network - This rule will block all Branch to Branch or Remote Access to Branch traffic.

clipboard_e5bfaf04c09811f3f2b2f6c5f0c47a657.png

 

Types of Firewall Rules:

The Secure Connect Cloud Firewall provides two types of Firewall rules as shown below.

  1. Internet rule
  2. Private application and network

clipboard_e500dbf455fd1c0e250596ca67f9557b6.png

 

Creating Internet Traffic Rule:

From the top left corner of the page, click on +Add Rule and select Internet Traffic rule option. This will open a rule creation page where the 4 step process will be outlined as shown below.

 

Rule description - Provide Name, Priority and Optionally add description to the rule.

 

clipboard_e8cde2724512749da526aa0d208498894.png

 

 

Rule Intent - Define Rule Intent with the criterias listed below:

  • Action: Allow or Deny
  • Protocol: Any, TCP, UDP or ICMP
  • Sources: This can be a Subnet (CIDR) or individual IP address, Username or User group, Tunnel.
  • Source ports: Port number or a range (By default if not defined, it will consider “Any”)
  • Destinations: This can be a Subnet (CIDR) or individual IP address or Public Application Categories or specific Apps from categories. 
  • Destination ports: Port number or a range (By default if not defined, it will consider “Any”)

clipboard_eab340b0fa0c3de34019094916b65739e.png

 

Rule Schedule

Here users can define their rule enforcement start and end date as well as time. Optionally logging can be enabled or disabled. The hit count interval is available for configuration. If the interval is selected for a specific time, it will reset and start monitoring the hit count again after the specified time has elapsed.

 

If you disable the logging, the hit counter will also be disabled.

 

clipboard_e8bfe4d83b222a57a530d21db708d3da9.png

 

Lastly select the rule status i.e. Enable or Disable upon defining it.

 

clipboard_ec92a31020d5052cb89714df3916a8497.png

 

The newly added rule now shows up in the Rules list.

 

clipboard_e587aa2062265e868d2a8aad6e739c539.png

Identity Criteria

When using Internet traffic rule, the following source criteria can be used:

  • Users or Groups of your Remote Workers tunneled into the fabric using Secure Client RAVPN
  • Subnet representing end points attached to Branches tunneled into the fabric using MX SD-WAN Auto-VPN
  • Tunnels should not be used to represent subnets attached via MX branch, including tunnel objects that start with Remote Access orgid:(#) and Branch Access orgid:(#).

 

The following destination criteria can be used:

  • Public applications, i.e., Social Networking
  • Subnet representing endpoint attached to Branches tunneled into the fabric using MX SD-WAN Auto-VPN, i.e., 10.100.0.0/24

Firewall Rule Settings

You can add above described identities and define actions, ports, protocols, and applications in a cloud firewall rule. Secure connect evaluates each firewall rule, starting with the highest ranked rule. When an identity and destination match a rule, Secure Connect applies the action defined in the rule.

For example, if an identity requests a web application on port 80 or 443, Secure Connect first checks for a matching firewall rule. If Secure Connect finds a matching firewall rule, the cloud firewall applies the action defined in the rule.

For web application requests, Secure Connect applies this sequence of checks.

  1. Secure Connect first matches a firewall rule to an identity and destination.
  2. If the matching rule defines a Block action, the Secure Connect cloud firewall blocks the request.
  3. If the matching rule defines an Allow action, the Secure Connect cloud firewall forwards the request to the secure web gateway (SWG). The secure web gateway applies the security settings defined in the Web policy.

Creating a Private Application and Network rule:

From the top left corner of the page, click on +Add Rule and select Private Application and Network rule option. This will open a rule creation page where the 4 step process will be outlined as shown below.

 

Rule description - Provide Name, Priority and Optionally add description to the rule.

 

clipboard_ebd8b26c25ed69d30e93c2734c569bd88.png

 

Rule Intent - Define Rule Intent with the criteria listed below:

  • Action: Allow or Deny
  • Sources: This can be a Subnet (CIDR) or individual IP address, Username or User group, Tunnel.
  • Destinations: This can be Subnet (CIDR) or Individual IP address or private application defined within the Secure Connect > Application page.

For specific ports and protocols, users will need to define them as an Application within the Secure Connect page and select them as a destination on the Firewall rule in order to block or allow them.

 

clipboard_e88f35c13e09fe66895f69c78aff2d121.png
Rule Schedule

Here users can define their rule enforcement start and end date as well as time. Optionally logging can be enabled or disabled. The hit count interval is available for configuration. If the interval is selected for a specific time, it will reset and start monitoring the hit count again after the specified time has elapsed.


If you disable the logging, the hit counter will also be disabled.

 

 

clipboard_e80a3f68d2cc82e88f52a5c0c89bcb3a9.png

 

Lastly select the rule status i.e. Enable or Disable before you click on Save and Exit.

 

clipboard_eea14b9c2c6c09304ff45ffc5b02a4859.png

 

After creating all the Firewall rules, the list view will be visible to the users as shown below.

 

clipboard_e51f4d4f19bbfd614c7da3e060316cb5b.png

 

Filtering and Bulk actions

Users have a way to filter the rules as per the options show in the image below.

 

clipboard_e88edd40fdbe33a2c359991cff0de2095.png

 

Along with that, bulk action can be performed by selecting multiple rules at the same time. 

 

clipboard_e62591506e997f0bc7619c8f7b2d8bf47.png

Identity Criteria

When using Private app and network rule, the following source criteria can be used:

  • Subnet representing end points attached to Branches tunneled into the fabric using MX SD-WAN Auto-VPN, i.e., 10.100.0.0/24

Tunnels should not be used to represent subnets attached via MX branch, including tunnel objects that start with Remote Access orgid:(#) and Branch Access orgid:(#).


The following destination criteria can be used:

  • Pre-defined private applications, i.e., Network-Based Access created under Secure Connect > Applications > Private Apps

  • Subnet representing endpoints attached to Branches tunneled into the fabric using MX SD-WAN Auto-VPN, i.e., 10.200.0.0/24

Managing Rules

There are additional capabilities available on the Cloud Firewall page as listed below.

  • Users can drag and drop rules to change the priority order by simply using the grab handle available before the checkbox. 
  • Additional actions on a per rule basis are available as shown in the image below

clipboard_e0a1b448b112d9e5ac5e9516cde4149ba.png

Edit option allows the user to update rule attributes.

clipboard_e797b5a63de6601242d38d5eb832c9d52.png

Duplicate option allows the user to copy the rule into newly named rule and modify it accordingly.

clipboard_ed60e32901a7d6b9d573733ff992eead8.png

Reset rule count allows for clearing of the hit counter on per-rule basis.

Get latest hits option updates the rule count according to the latest available data.
Lastly, each rule can be quickly switched between Allow/Deny action and Enable/Disable status.

Configure IPS settings for Firewall Policy

Secure Connect provides a set of default Intrusion Prevention System (IPS) settings that when enabled in a firewall policy control how Secure Connect detects or blocks traffic in your network. In addition to the default signature lists, you can add a custom IPS setting for your organization and enable the custom signature list in your firewall policy. To manage a custom signature list, see Manage IPS.

Configure IPS Settings:

To configure IPS settings, navigate to Secure Connect > Cloud Firewall page and click on the Cloud IPS settings drop down. When it's not configured, it will show as an image below.

clipboard_e699277d737a389553739d21488dc5d74.png

Click on the “Configure IPS settings” button that will open up a configuration page as shown below.

clipboard_e9c198c52f6b798aea77baee2efe4ceb0.png

 

In this page, choose either Detection or Protection.

Detection: Detects threats or attacks in your network that match the signatures in the IPS setting. With detection mode enabled, Secure Connect detects matching traffic patterns but does not block destinations. You can test the IPS settings on your network without affecting the traffic. Secure Connect logs the events as Allowed (Would Block) under IPS Signatures in the Activity Search report.

Protection: Protect your network from known threats or attacks. With protection mode enabled, Secure Connect blocks destinations that match the signatures defined in the IPS setting.

IPS Signature list - Select the desired signature list. If a user has created a custom list, they will show up for selection as well. 

clipboard_e78366cad026b0c1a83f4a009abdd7352.png

Once ready, click the “Save” button to complete the configuration.

 

clipboard_ef3c9027f45737ea8ac985251e46090c4.png

 

Additional resources:

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Guide
    Stage
    Final
  2. Tags
    This page has no tags.